-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 GF,
GF wrote: |> I believe if your session starts through HTTPS, the cookie will be |> marked as secure and it won't be sent if the user switches to non-secure |> HTTP. | | Maybe my question is stupid, but, is it possible to browse a site on | HTTP and having just the JSESSIONID cookie sent on HTTPS to prevent | session stealing? Do you mean you want to configure Tomcat such that cookies are only sent via HTTPS and suppressed for all HTTP traffic? If yes, then I already told you how to do it: just make sure that your cookies are created during an HTTPS request and that should be all you need. If you need your HTTP requests to be related to the same server-side session, then this is not going to work out for you. With regard to session stealing... someone on the list recently asked if Tomcat could be configured to ignore JSESSIONID cookies even if "cookies" had been turned off in the configuration. I believe the answer was that Tomcat will use a cookie if it was found, so an attacker could always send JSESSIONID cookies to you just looking to see if he hits a valid one. If you really want to get paranoid, you can create a filter that vetos all requests that contain a JSESSIONID cookie but don't use the HTTPS scheme. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeOfTIACgkQ9CaO5/Lv0PDgQgCgvyQN73aBeJ7EQJZIV4EfjkfQ i+0AoMQUCGyc+LKjAvgzoM6cbTyGG+fa =LzGc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
